Readers Digest hit with Angler trojan exploit

Jerome Segura of Malwarebytes says that hackers have compromised a Readers Digest article; 9 Home Remedies for Foot Odor That Are Shockingly Effective and it is being used to serve up the Angler Exploit kit and other trojan backdoors.

Segura says the Readers Digest site was still serving up the malware through the highly capable drive-by threat today as the publisher had not yet responded to his disclosure.

The Malwarebytes, threat analysis analyst said, "The attack consists of a malicious script injected within compromised WordPress sites that launches another URL whose final purpose is to load the Angler exploit kit."

"Site owners that have been affected should keep in mind that those injected scripts/URLs will vary over time, although they are all using the same pattern. The website of popular magazine Readers Digest is one of the victims of this campaign and people who have visited the portal recently should make sure they have not been infected."

Attackers infected the Readers Digest smelly feet article but could also have targeted and compromised other pages. The significance of the Readers Digest attack is that it’s site is visited by over three million readers a month.

Malvertising is insidious and takes place silently during so-called drive-by download attacks, with the user being completely unaware that their computer has been compromised. In the case of the Readers Digest attack, the payloads delivered are the ad-fraud (Bedep) payload, which reappeared in 2015 as a direct result of its use in various exploit kit attacks.

Bedop works in conjunction with the malware downloader Necurs backdoor, however these could change if attackers decide to vary their attacks.

UPDATE: Reader's Digest reached out to us with the following statement: "We became aware of the malware attack last week and have been working with our security provider, technology partners and platform provider to investigate the issue and perform extensive security checks on our website.

"At this point, we are addressing all known vulnerabilities of the site. We take security very seriously and are taking every step to ensure the integrity of our site. We are working to resolve this issue as quickly as possible and hope to have the site running normally very shortly."